You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Lacerda, Wellington (AFIS)" <We...@fao.org> on 2000/11/15 11:21:44 UTC

using SSL on standalone Tomcat - Urgent !

Hi All,

I've set up SSL on a 3.2b7 instance. Also I defined a context, say /wlss,
with a directory and a resource, say /wlss1/index.htm inside that context.

I want to configure that context in such a way that the access to
/wlss1/index.htm is only allowed if the transport is guaranteed at
confidential level(SSL). I read the spec and created this web.xml to do the
job:

<web-app>
 <security-constraint>
  <web-resource-collection>
   <web-resource-name>a</web-resource-name>
   <url-pattern>/wlss1/*</url-pattern>
   <http-method>GET</http-method>
   <http-method>POST</http-method>
   <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
  </web-resource-collection>
 </security-constraint>
</web-app>

By my understanding, I'm allowing access to the resource collection "a" -
mapped to /wlss1/anything with GET or POST only through a confidential
transport - SSL. 

It's not working at all. I can still access it through normal http. Am I
missing something here ?

Another question - how to impose confidential transport to the entire
context ?

Thanks in advance for any help,

Wellington Silva
UN/FAO

Re: using SSL on standalone Tomcat - Urgent !

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

"Lacerda, Wellington (AFIS)" wrote:

> Hi All,
>
> I've set up SSL on a 3.2b7 instance. Also I defined a context, say /wlss,
> with a directory and a resource, say /wlss1/index.htm inside that context.
>
> I want to configure that context in such a way that the access to
> /wlss1/index.htm is only allowed if the transport is guaranteed at
> confidential level(SSL). I read the spec and created this web.xml to do the
> job:
>
> <web-app>
>  <security-constraint>
>   <web-resource-collection>
>    <web-resource-name>a</web-resource-name>
>    <url-pattern>/wlss1/*</url-pattern>

Change this to "/*".  The <url-pattern> setting is relative to your context,
not to the server root.

>
>    <http-method>GET</http-method>
>    <http-method>POST</http-method>
>    <user-data-constraint>
>     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>    </user-data-constraint>
>   </web-resource-collection>
>  </security-constraint>
> </web-app>
>
> By my understanding, I'm allowing access to the resource collection "a" -
> mapped to /wlss1/anything with GET or POST only through a confidential
> transport - SSL.
>
> It's not working at all. I can still access it through normal http. Am I
> missing something here ?
>
> Another question - how to impose confidential transport to the entire
> context ?
>
> Thanks in advance for any help,
>
> Wellington Silva
> UN/FAO

Craig McClanahan